Security and SSL

If you are using this on a real website you might want to use SSL and make your installation secure. There are a few things you can do. For most people running on their local machine that do not want it on the internet do not require any of these settings, but it will not harm if they did. Following the instructions above you should already be using ProxyRequests Off

<Directory> / <Location>

• location acts upon the url only, directory works on the physical file path, so they basically do the same thing via the 2 declarative paths.
• however, directory is a little more secure because there can be multip-le urls poitning to the same file whereas when using directory there is only 1 file path so directory is better for security permissions etc ..
• directory and location directives can be used within a virtual host and will apply to that virtualhost only, if not it will be applied to the main/default website/name/localhost etc..
• using <directory> is better than <location>

SSL on non default port

• SSL on Webrick
• Defect #12102: Installed Redmine in a sub-URI: Links are generated not correctly - Redmine - This is where i got the proper subdirectory code that works and also has the code for SSL usage
• Listen Directive - Official Documentation
• How to configure WEBrick to serve Redmine over SSL using openSSL certificate | PI Media - Web Apps Development

The optional protocol argument is not required for most configurations. If not specified, https is the default for port 443 and http the default for all other ports. The protocol is used to determine which module should handle a request, and to apply protocol specific optimizations with the AcceptFilter directive.

You only need to set the protocol if you are running on non-standard ports. For example, running an https site on port 8443:

Listen 192.170.2.1:8443 https

Hooks

• Secure the commit path ie /sys/ folder - i read some where that you should protect the {redmine}/sys folder and was not sure why or where i have seen that. but the reaon is to protect where you send the post-commit.bat submissions ie. curl "http://<redmine url>/sys/fetch_changesets?key=<your service key>"
• use https cURL and https for submitting locations
• HowTo Automate repository creation - Redmine - Mentions Web Service and security

Secure Proxy

• ProxyRequests Off - prevent abuse of proxy
• Protect the subversion / REdmine installation with IP blocking in Apache
• HowTo Install Redmine on subdirectory (sub-URI) on Apache - Redmine - Tells of how you should restrict access when using apache proxy

apache httpd.conf

<Proxy *>
  Order Deny,Allow
  Deny from all
  Allow from 192.168.0
</Proxy>

• http://serverfault.com/questions/500650/how-can-i-enable-mod-proxy-http
• Hide the Apache Web Server Version number with ServerSignature and ServerTokens directives
• How to hide apache information with ServerSignature and ServerTokens directives - Virendra's TechTalk